KYC

The Latest Developments with European UBO Law

‍The European Court of Justice invalidated the provision of the Anti-Money Laundering Directive that requires EU Member States to grant public access to UBO registers in late November 2022. This was due to data protection issues, as the ruling state believes the wide access provided violates GDPR. ‍Several EU countries provisionally restricted access to the registers, including Luxembourg and the Netherlands.

Thorsten J Gorny
,
January 9, 2023

What is a UBO?

An Ultimate Beneficial Owner or UBO is an individual that benefits from a company even though they are not named as the business owner. It typically refers to a person within the parent company that owns or controls 25% of company shares, has the right to remove the majority of the board, or can exercise significant control over the company. 

Identifying the UBO is an important part of anti-money laundering and Know-Your-Customer (KYC) processes. UBO screening is mandatory for specific industries, including banks and other financial institutions, estate agents, solicitors etc. Companies need to understand exactly who they are doing business with to avoid enabling money laundering operations, terrorist financing or sanctions violations.

UBO registers 

The EU Court's ruling follows two references from preliminary rulings from the Tribunal d'arrondissement de Luxembourg (District Court of Luxembourg).

Luxembourg law adopted in 2019 established a register of Beneficial Ownership whereby information related to beneficial owners of registered entities must be entered and retained. Some of this information is accessible to the general public via the Internet, although beneficial owners were able to request that their information remain restricted. 

When the beneficial owner of a real estate company applied to the Luxembourg court for a restriction of information due to concerns that his family may be exposed to a "real and disproportionate risk" of violence as he frequently travels to countries with unstable political regimes, the court denied this request. This led to a lawsuit. The Luxembourg court then approached the European Court of Justice for a preliminary ruling. 

The Ruling

The European Court of Justice had to resolve the conflict between the 3rd EU Anti-Money Laundering Directive (AML3) and the General Data Protection Regulation (GDPR). Both acts required interpretation in conformity with fundamental rights within the meaning of the EU Charter of Fundamental Rights. 

Under AML3, member states may provide exemptions from the disclosed agreement in exceptional circumstances, e.g. the threat of violence, kidnapping or extortion to beneficial owners. 

GDPR requires a balanced approach to data privacy and lawfulness. For example, it provides that data may be transferred to a third country or an international organization if the data originates from a register that is open to the entire public. 

The court ultimately ruled that the disclosure of the beneficial owner's data interferes with the EU Charter of Fundamental Rights Articles 7 and 8, which refers to private and family life and data protection. It found that making UBO information available to the public should be considered "heavy interference", despite achieving the objective of serving the public interest. 

The consequences of the ruling

The court did not make any clear statements about alternatives in implementing the directive, and member states were unable to agree on a uniform decision of the "legitimate interest" for which access to the register must be restricted. 

However, while the rights of UBOs are protected, businesses are still required to comply with strict requirements, including maintaining registers of the UBOs of the companies they do business with. 

Under FinCEN's customer due diligence requirements, for example, financial institutions must still verify and identify ultimate beneficial ownership information, which will require the collection and verification of personal information.

This means that a business conducting customer due diligence on an EU data subject needs to ensure that the customer provides express consent for the processing of their personal data. Under GDPR, there must be a legal basis for personal processing information and data collection must be limited to what is strictly necessary. 

The latest development doesn't exempt financial institutions from complying with AML, but it poses additional challenges in collecting, processing and storing information - even as customer due diligence obligations increase. 

Financial institutions should be aware of the limitations and obligations placed on UBO data and ensure that their customer due diligence processes are as accurate, fast and automated as possible to uncover red flags related to the entities they do business with.

New Sanctions Screening Guide
Download our FREE Sanctions Screening Guide and learn how to set up an effective sanctions screening process in your organization.
New Case Study
Discover how technology companies streamline global sanctions compliance with sanctions.io
Thorsten J Gorny
Thorsten is Co-founder & CEO of sanctions.io. He has worked for more than 15 years in the tech industry with focus on bringing ideas to life, and building great teams and products. At sanctions.io he is mainly responsible for Business Development, Growth and Strategy.
Enjoyed this read?

Subscribe to our Newsletter right now and never miss again any new Articles, Guides and more useful content for your AML and Sanctions compilance.

Success! Your email has been successfully registered for our newsletter.
Oops! Something went wrong while submitting the form.